SSL, or Secure Sockets Layer, is one of the technologies essential to security on the web. It allows a web browser and server to form an encrypted connection. Encryption is an essential part of web security. If you're browsing the web in a coffee shop or airport without encryption, it's trivial for anyone else to see exactly what you're looking at.

Luckily, SSL is becoming more and more prevalent thanks to efforts by internet companies and a better understanding of why security is important among users. Most browsers have also started advertising that sites without SSL are insecure. The images below show what websites that are using SSL look like on Google Chrome vs. those that are not using SSL:

SSL works by using a certificate issued by a trusted certificate authority (CA) being installed on the web server. Traditionally these certificates were not free and were complicated to configure. That changed with the introduction of the Let's Encrypt CA. Let's Encrypt provides free SSL certificates along with an associated software package to automatically install and update them - very cool.

Prerequisites

This guide assumes that you have a domain name pointed at an AWS EC2 instance running Amazon Linux. This instance should be set up with the Apache web server and you should have access via SSH. If you don't have this setup, the following steps will not work.

Also note that this will require restarting the web server, so it's worth doing it at an off-peak time if you have a high-traffic site.

Configure Apache

It's important to have a properly configured web server before continuing. Apache's main configuration file is located at /etc/httpd/conf/httpd.conf.

In my case, I was able to run with most of the default settings. I did update the ServerName and ServerAdmin fields. Somewhere in your httpd.conf file should be the following lines:ServerName www.yourdomain.comServerAdmin you@yourdomain.com

Run Let's Encrypt

The command below is the big one. It runs Let's Encrypt and has it generate and install certificates. One thing to note - Let's Encrypt does not support the concept of a wildcard certificate. Therefore all subdomains must be explicitly specified as arguments. At a minimum, the www subdomain should be specified. Here's the command:sudo /opt/letsencrypt/letsencrypt-auto --debug -d www.yourdomain.com -d yourdomain.com

A note about RAM

The first time I ran this command on a t2.nano instance it failed because that instance did not have enough RAM (it only has 512 MB). The workaround I used was adding 1 GB of swap space. Swap space is essentially hard disk space masquerading as additional RAM. It's significantly slower than RAM, but that's not a huge deal for our purposes. If you run into the same thing, you can run these commands then re-run the big one above:sudo /bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=1024sudo /sbin/mkswap /var/swap.1sudo chmod 600 /var/swap.1sudo /sbin/swapon /var/swap.1

Configure Let's Encrypt Updates

Let's Encrypt certificates only last for 90 days. Therefore a script must be run to update the certificates on a regular interval.